Playbook · SBOM Operations

The Medical Device SBOM Field Guide

End-to-end field guide for generating, validating, distributing, and operating SBOMs for embedded, mobile, SaMD, and hybrid medical devices.

All playbooks

Updated May 2026 8 pages 18-min read Download PDF

Why this matters

An SBOM is only as valuable as your ability to keep it accurate and act on it. The FDA's 2026 guidance assumes you can produce a machine-readable SBOM, monitor it daily, and turn CVE noise into reviewable VEX. This field guide is the operating manual: which tools, which formats, which workflows, and where teams typically fail.

Key takeaway: The most common SBOM failure mode is not technical - it's organizational. No single owner, no daily monitoring cadence, no VEX discipline. Fix the operating model first; tools second.

Choose your format and stick to it

CycloneDX 1.5 - default for medical devices (native VEX, ML-BOM, services)
SPDX 2.3+ - generate when downstream tooling requires it; keep CycloneDX as source of truth
Both formats are FDA-acceptable; pick one as canonical and document why
Never ship a PDF or spreadsheet as the SBOM itself - reviewers reject it

Tool selection by device class

SaMD / cloud - Syft, cdxgen, Trivy, language-native plugins (npm, pip, maven, go)
Mobile companion app - cdxgen for iOS (CocoaPods/SwiftPM) and Android (Gradle)
Embedded firmware - Syft + binary analysis (Binwalk, Ghidra, BLINT, EMBA)
Containers - Syft or Trivy at build time, integrated with your registry
Hardware with vendor firmware - request vendor SBOMs; document gaps

Binary analysis for firmware (the hard part)

Extract filesystems with Binwalk; identify components by signature + string analysis
Reconcile binary findings with build-system bill of materials
Capture statically linked libraries that don't appear in package manifests
Document confidence level per component (high = build-system, medium = binary match)

PURL + hash discipline

Every component gets a Package URL (purl) - reviewers use these to map CVEs
SHA-256 minimum for binary components; SHA-512 preferred
Include supplier, version, and SPDX license identifier on every component
Validate with cyclonedx-cli or spdx-tools before publishing

What's in the full PDF

Tool matrix with strengths/weaknesses per device class
Step-by-step firmware extraction + binary analysis workflow
VEX operating model with five worked justification examples
Distribution patterns: MDS2 alignment, NTIA minimum elements, customer portal
Common review-letter findings and how to pre-empt them

Want the full 8-page playbook?

Includes every checklist, table, and template - formatted for printing and sharing.

Download PDF

What's inside

Tool selection by device class (firmware, mobile, SaMD, container)
Binary analysis workflow for embedded firmware
PURL + hash discipline reviewers expect
VEX operating model with example justifications
Distribution to hospitals: MDS2, NTIA, customer portals

Get the next playbook

Subscribe to The Monthly Pulse for new playbooks, FDA updates, and field notes.

Other playbooks

Ready when you are

Get FDA cleared without the cybersecurity headaches.

30-minute strategy session. No cost, no commitment - just answers from people who've shipped 250+ submissions.

Book strategy session Explore services